Signed Integer Overflow in Perl's Storable Module Affects Multiple Versions
CVE-2026-57433
Currently unrated
What is CVE-2026-57433?
The Storable module in Perl prior to version 3.41 contains a vulnerability that arises from a signed integer overflow during the deserialization of crafted SX_HOOK records. Specifically, the 'retrieve_hook_common' function reads a signed 32-bit item count, which can be manipulated to trigger an overflow when augmented by one. If the item count is set to I32_MAX, this leads to a negative value being passed to the 'av_extend' function, causing the process to panic and terminate unexpectedly. This vulnerability emphasizes the need for careful validation and handling of input data in serialization processes.
Affected Version(s)
Storable 0 < 3.41
